If your self-managed applications are distributed across multiple virtual private clouds (VPCs) within the same region, you can purchase a Key Management Service (KMS) instance in one VPC and associate other VPCs with that instance. Applications in different VPCs then share the same KMS instance, simplifying key management across your infrastructure.
VPC quantity limits
Each VPC you associate with a KMS instance consumes one unit of Access Management Quantity — a capacity quota you set when purchasing the instance. This quota covers two types of associations:
| Association type | Quota consumed |
|---|---|
| Each VPC linked to a KMS instance | 1 per VPC |
| Each principal (Alibaba Cloud account) with shared access | 1 per principal |
For example, to associate 3 VPCs and share the instance with 2 principals, set Access Management Quantity to at least 5.
To increase this quota, see Modify instance specifications.
Prerequisites
Before you begin, ensure that you have:
A KMS instance that is purchased and enabled. See Purchase and enable a KMS instance
A VPC in the same region as the KMS instance
(Cross-account only) A vSwitch within the VPC that is shared with the Alibaba Cloud account that owns the KMS instance. See Resource owner enables VPC sharing
Associate VPCs with a KMS instance
Console
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.
On the Instances page, click the tab for your instance type.
Find the KMS instance and click Details in the Actions column. On the instance details page, click the VPCs tab.
Click Configure VPC. In the Configure VPC panel, select the VPCs you want to associate from the Available VPCs section, then click the
icon to move them to the selected list.In the Select vSwitch to Associate with VPC dialog box, select a vSwitch for each VPC and click OK.
You can select a vSwitch regardless of whether it's associated with your application. Make sure that the vSwitch has at least one available IP address. KMS requires this IP to access your network.
In the Configure VPC panel, click OK.
API
Call the UpdateKmsInstanceBindVpc operation.
Terraform
See Purchase and enable a KMS instance of the software key management type.
What's next
Choose an integration method to connect your applications to the KMS instance. KMS supports the Alibaba Cloud SDK, secret SDK, KMS Agent, and KMS instance SDK (not recommended). See Application access for details.